[strongSwan] strongswan how to check certreq and how to build certreq field

Andreas Steffen andreas.steffen at strongswan.org
Wed Nov 21 21:09:11 CET 2012


On 11/21/2012 08:47 PM, Jun Yin wrote:
> Hi,
>
> I know certreq should be filled by part of hash of certificate
> authority, but I don't know an easy way to calculate it by myself.
>
>>From my debug:
>
> Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT,
> sending keep alives
> Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an unknown ca
> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216,
> E=hans_216 at stress.com"
> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
> E=hans_216_sub2 at stress.com"
> Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc,
> L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt,
> E=dut2_sub3 at stress.com' (myself) with RSA signature successful
>
>
> 1. The second line said "requests for an unknown ca".     I don't know
> why, I suppose I have all relevant cacert in directory
> /etc/ipsec.d/cacert.  So, is that means my peer sending a wrong value
> in certreq field?
>
Probably yes, since all CA certificates from /etc/ipsec.d/cacerts/
or loaded via ca sections in /etc/ipsec.conf are checked.

> 2. The third and fourth line said we're building our certreq field and
> sending it. My questions is how do strongswan choose cacert to send? I
> actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do
> strongswan choose two of them? which kind of rule?
>
By default the SHA1 hashes of all CA certificates in
/etc/ipsec.d/cacerts/ and optionally loaded via ca sections in
/etc/ipsec.conf are sent in the CERTREQ but if you define

rightca = "<Subject Distinguished Name of CA>

in the connection definition then only the given CA will be requested.

> 3. To confirm if strongswan are sending correct certreq, is there a
> way to calculate certreq field value by ourself? like an openssl
> command?
>
Use these commands:

   openssl x509 -in cert.pem -outform der -out cert.der

   hash=`sha1sum cert.der | awk '{ print $1 }'`

>
> Thanks!
>

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list